Last year, it was also discovered that the number of attempts to spread malware within Europe increased by 500 percent. Mobile malware threats are currently capable of much more than just stealing identity data, such as recording (phone) calls and videos, tracking locations, and deleting and completely destroying content and data.
Longer-running attacks are also becoming more common among mobile hackers. Here, the scammer starts with an innocent message. Once the victim responds, the cybercriminal maintains contact for several days or even weeks. This creates a bond of trust with the victim. Manipulation, deception, and further exploiting the human factor contribute to a successful attack.
Vishing and smishing were, according to the 2023 Voice of the CISO report from Proofpoint, the biggest threats that Dutch CISOs saw. In comparison, ransomware attacks were the biggest concern last year.
Persistently vulnerable organizations and employees due to the development of vishing and smishing
Mark-Peter Mansveld, Vice President Northern Europe, Middle East, and Israel at Proofpoint shares his view on the recent developments in mobile device and communication platform attacks: "Phishing via mobile platforms, also known as vishing attacks, target one of the most vulnerable parts of an organization: the employees. By using non-technical social engineering, convincing employees to take action is easier. It is important that security awareness training initiatives also address verifying identities over the phone, recognizing and reporting vishing attempts, and the importance of securely storing confidential information and credentials.
These attacks, such as BEC (Business Email Compromise) and email fraud, differ from malware attacks because they implement conversion as a payload. The threat is the discussion and release of information that cybercriminals then use to gain further access to other employees or systems. Scammers typically conduct extensive research to successfully execute these attacks. Additionally, they possess a lot of personal information about their targets."
For vulnerabilities that affect individuals, where the human factor is a significant component, the same applies. Cybercriminals develop their tactics in such a way that they get to know the victims better and thus know how to respond to sentimental scenarios that prompt quick action and potential financial loss.
Scammers are still using human help to set up conversations. However, with recent developments in Generative AI, the moment to handle this without human assistance is not far off. The introduction of tools like ChatGPT, Bing Chat, and Google Bard heralds the arrival of a new type of chatbot. One that can understand context, articulate reasoning, and even attempt to persuade people.
Setting up the (crime) scene
A modern setup for email phishing can be as simple as one person with a computer and access to common cloud services. But when it comes to a smishing attack, the picture is slightly different. Despite the sale of smishing kits via the dark web, gaining access to and abusing mobile networks requires more effort.
Mobile networks are, unlike the internet, closed systems. Creating and sending anonymous messages is therefore more difficult. A smishing criminal must first gain access to the network. This can be done through advanced exploits or special hardware. Once criminals can access the network, they can send a malicious message. Recently, the price of 'SIM bank' hardware has decreased, but a unit still costs hundreds or even thousands of euros. This entirely depends on the number of SIM cards supported and the number of simultaneous mobile connections they can handle. Criminals must also pay for active SIM cards that they can use in their SIM database. More and more new SIM cards are needed as more mobile network operators succeed in identifying and excluding compromised numbers. This leads to rising connection costs for the scammers.
The physical nature of mobile networks also increases the risk of detection for cybercriminals. Mobile cell towers assist network operators in determining where the malicious activities are coming from. Therefore, smishing perpetrators must be very flexible and often move around to avoid being caught.
Social engineering and other similarities
Although smishing and phishing differ greatly, there are many similarities in the realm of social engineering.
Both approaches rely on bait that leverages human psychology. They play on loss aversion, preferences for urgency, and the ability to persuade and prompt victims to take action. Differences between email and mobile message formats are that smishing attempts are shorter and less elaborate than many scam emails. While the execution differs, the impulse of a 'missed package' or 'request from the manager' remains the same.
Figure 1: hthe difference between smishing bait - often less complex - and phishing messages with the same subject.
Smishing and traditional phishing attacks often approach potential victims in the same way. In addition to sending large volumes of messages, both methods use more specific 'spear phishing/smishing' techniques. Cybercriminals conduct thorough research on potential victims before an attack. Based on this data, they create tailored messages. These often target employees in high positions within an organization. Linking mobile phone numbers to a range of personal data is – as previously described – very easy. This makes them a powerful source for spear-smishing expeditions. We see similar 'seasonal' patterns for cyberattacks in phishing and smishing, just as with targeting behavior. Summers are usually slower, and during the Christmas holiday, cybercriminals often take a complete break.
The big differences: phishing, smishing & vishing
Many email users automatically ignore spam and other harmful emails. Mobile messages, on the other hand, are relatively new, and therefore many people still rely on the safety of this form of communication. One of the main differences between smishing and phishing is thus the basic sensitivity of the attacks. The click-through rate on a link in a mobile message is as much as eight times greater than in an email. This means that the chance of a malicious link spreading via an SMS or WhatsApp message is much greater than when the same link is sent via email. Even in markets where SMS services have been replaced by Messenger and WhatsApp. Consumers expect important messages via these types of services, allowing them to respond quickly upon receipt.
In vishing or scams via specific phone calls, the attacker spends time researching their target to determine the best way to attack. They also look at the various angles for the phone conversation to exercise social engineering. Finding phone numbers is relatively easy, but successful social engineering takes time and requires good research. For a successful attack, the scammer needs enough conversation material. Social engineering attacks are straightforward and easy to execute. The difference between a successful and failed attack usually lies in the level of preparation and research of the scammer prior to the attack. This allows them to escalate to the next step or prevent being caught.
Mansveld: "For a successful spear phish via the phone, scammers often need to spend a significant amount of time researching and crafting the attack. Scammers often choose specific employees who work at the intended organization and conduct in-depth research on them using various information sources. Think of freely available and public information obtained via social media like LinkedIn, Facebook, and Twitter".
Mobile malware remains a threat
Mobile malware has the same core goal as its desktop counterpart. After installing the malicious software, attackers try to gain control over the system to access potentially sensitive information and account details.
As mobile malware becomes more advanced, new types of data are stolen. With an even greater impact than before. Think of recording (phone) calls, deleting video and audio, and wiping or even completely destroying content and data.
The goal of a phishing/smishing link is to entice the user to enter data via a fake login page. This happens almost in real-time. Banking malware, on the other hand, can wait until the user activates a financial application. At that moment, the malware seizes its chance and steals data and information from the unsuspecting user, who thinks they are safely communicating with the real banking app on the device.
A recent example of mobile malware is FluBot, a worm-like malware first discovered in November 2020 in someone in Spain. The malware quickly spread to other countries. In mid-2021, the Dutch police warned about FluBot malware in the Netherlands.
FluBot spreads by accessing the contact list or address book of the infected device and sends the information back to a command-and-control (C&C) server. This server then instructs the device to send new infected messages to numbers on the list. In addition to spreading, FluBot also gains access to the internet, can read and send messages, and even make phone calls.
Once the unsuspecting user opens a specific app, this form of malware can eavesdrop via a screen to capture passwords for banks, brokers, and other sites.
Protect yourself, your employees, and your organization
Mobile phones serve as a common connection point between professional and personal life, making them a valuable target for cybercriminals. Just one infected device can provide access to individual and corporate finances, sensitive personal information, and confidential commercial documents.
The mobile malware threat landscape is evolving, just like smishing and vishing attacks, rapidly. Every day, new opportunities and players enter the market. At the same time, social engineering tactics are improving day by day. Awareness is essential.
Users must be vigilant for unexpected or unsolicited messages that contain URLs and requests for data sharing. Using a mobile antivirus application, as we are accustomed to with desktops and laptops, from – of course – a trusted source is also a very good idea. Additionally, awareness training about security within organizations and all forms of mobile threats is more important than ever and deserves as much attention as the risks they pose.
Read also: Vishing Breaks All Records in 2022 | WINMAG Pro
Read also: Proofpoint: Facebook leak likely leads to increase in smishing attacks | WINMAG Pro
